Analysis
-
max time kernel
22s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/12/2024, 20:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
120 seconds
General
-
Target
40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe
-
Size
292KB
-
MD5
eab583259bde4b70b251e103bd7ac490
-
SHA1
15d86e4289881fbcc6cebaba6bb88f80867d1870
-
SHA256
40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92
-
SHA512
7cde0823ae4697c95b611c6ed21ff8a7ed0d70bf9ed46878f2487c3c78b47eb3f42a1c01055ebb31f9d631c5211a12ba5c39f093e8ce1fc5164a4ee6b161841d
-
SSDEEP
6144:/vEF2U+T6i5LirrllHy4HUcMQY68AzQR5PSV1:nEFN+T5xYrllrU7QY68ZSH
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Deletes itself 1 IoCs
pid Process 2756 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2756 explorer.exe 2572 spoolsv.exe 2228 svchost.exe 1052 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 2756 explorer.exe 2756 explorer.exe 2572 spoolsv.exe 2572 spoolsv.exe 2228 svchost.exe 2228 svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe -
resource yara_rule behavioral1/memory/2260-4-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-8-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-3-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-1-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-10-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-9-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-7-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-12-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-5-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2260-78-0x00000000026E0000-0x000000000376E000-memory.dmp upx behavioral1/memory/2756-92-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-97-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-96-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-94-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-99-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-98-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-95-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-121-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-122-0x0000000003450000-0x00000000044DE000-memory.dmp upx behavioral1/memory/2756-125-0x0000000003450000-0x00000000044DE000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe File opened for modification \??\c:\windows\system\explorer.exe 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2228 svchost.exe 2756 explorer.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2756 explorer.exe 2228 svchost.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2228 svchost.exe 2756 explorer.exe 2228 svchost.exe 2756 explorer.exe 2756 explorer.exe 2228 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2756 explorer.exe 2228 svchost.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 2756 explorer.exe 2756 explorer.exe 2572 spoolsv.exe 2572 spoolsv.exe 2228 svchost.exe 2228 svchost.exe 1052 spoolsv.exe 1052 spoolsv.exe 2756 explorer.exe 2756 explorer.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2260 wrote to memory of 1108 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 19 PID 2260 wrote to memory of 1156 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 20 PID 2260 wrote to memory of 1184 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 21 PID 2260 wrote to memory of 2032 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 23 PID 2260 wrote to memory of 2756 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 30 PID 2260 wrote to memory of 2756 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 30 PID 2260 wrote to memory of 2756 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 30 PID 2260 wrote to memory of 2756 2260 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe 30 PID 2756 wrote to memory of 2572 2756 explorer.exe 31 PID 2756 wrote to memory of 2572 2756 explorer.exe 31 PID 2756 wrote to memory of 2572 2756 explorer.exe 31 PID 2756 wrote to memory of 2572 2756 explorer.exe 31 PID 2572 wrote to memory of 2228 2572 spoolsv.exe 32 PID 2572 wrote to memory of 2228 2572 spoolsv.exe 32 PID 2572 wrote to memory of 2228 2572 spoolsv.exe 32 PID 2572 wrote to memory of 2228 2572 spoolsv.exe 32 PID 2228 wrote to memory of 1052 2228 svchost.exe 33 PID 2228 wrote to memory of 1052 2228 svchost.exe 33 PID 2228 wrote to memory of 1052 2228 svchost.exe 33 PID 2228 wrote to memory of 1052 2228 svchost.exe 33 PID 2228 wrote to memory of 1864 2228 svchost.exe 34 PID 2228 wrote to memory of 1864 2228 svchost.exe 34 PID 2228 wrote to memory of 1864 2228 svchost.exe 34 PID 2228 wrote to memory of 1864 2228 svchost.exe 34 PID 2756 wrote to memory of 1108 2756 explorer.exe 19 PID 2756 wrote to memory of 1156 2756 explorer.exe 20 PID 2756 wrote to memory of 1184 2756 explorer.exe 21 PID 2756 wrote to memory of 2032 2756 explorer.exe 23 PID 2756 wrote to memory of 2228 2756 explorer.exe 32 PID 2756 wrote to memory of 2228 2756 explorer.exe 32 PID 2756 wrote to memory of 1108 2756 explorer.exe 19 PID 2756 wrote to memory of 1156 2756 explorer.exe 20 PID 2756 wrote to memory of 1184 2756 explorer.exe 21 PID 2756 wrote to memory of 2032 2756 explorer.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe"C:\Users\Admin\AppData\Local\Temp\40a476c2bcbad8d8f2ccd4e37c0cf854cb2df1ae0dbc7dae1c7b2a12eeb4ad92N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2260 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1052
-
-
C:\Windows\SysWOW64\at.exeat 21:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Windows\SysWOW64\at.exeat 21:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2912
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2032
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD56e94a31c57f6b3f828bb2b75db282f31
SHA1573034c4553cc521627738805ed34a54d1f31957
SHA256ca2224e434a0bbd1f94105e93007b3ba71d815f0223cc935dcce935fc876468b
SHA5126418c95b39dc04ec0626bcca04d3e51437a1ad465e758956a0089a16a99db8ce3134c07575bd37b673f360344c477c64d40694b98c1a3e7744286eb93ffec033
-
Filesize
257B
MD51bacd298e2fcafe9b2cde99a93ebb7cb
SHA1b1ea2eea87f5753c3000263fbb799cfbbf07bd63
SHA2567ae44247604da79b0a87ca646f44ad556ed3e954df20328e7c05e40ad68f7ed0
SHA51228d43227ff584f227e4f0e9320dd2e81bfc3af3e1a0be176837cb614a68f2e7359a21ba8db7260a98cfd5c02185ed0f2e5ac5c3645097dcd93def8889bb6d661
-
Filesize
292KB
MD5f78c256395b9968fbc1f076faf891692
SHA1ca7f6f760b590b35795b7eec5585ea1ee63edc0b
SHA25627e70e28fd3d06c55e82ace73ced304ac097e5b2a0e205fcd11bb4c0eea30c8e
SHA512043359d18d0415db0ec00974eacc6b89b62d8c736033ff4fa4d89f9cf0165cf984f6b59ae3a5d83aed9cf1305af83238308cd024afd79e044caa29c75afed8d2
-
Filesize
292KB
MD51f0d1349430696ca8f25dc3a34536adf
SHA1b44910aadb96804d66cc9908a01e4ff411a21223
SHA256890423a2e3a929d5a1d64be4e8daf54b2616f4de03637ab3896c76f60b48e7d4
SHA51200ad19e821c7e33b01fd7fd83bdf0b5a031f7648bdf542bc237590ecf36f028eb6f7fa8d171d4ebe792e2e07af3b4e02d3e68d90c99e3d4265941b86c11bc722
-
Filesize
100KB
MD5b3bb24e91ecf2d2494930df1dbd61ee6
SHA12c8ca9453e2a5db79a1435306a59d27f5343167d
SHA256c817e77e0a075d068acc968fc284bd707468e8c41fecc1b8f5a8d7987799b99d
SHA512f60003cb4c0cb7c2abca8b4694cd7fc6eab9fd46e477faf1ccf473514747fe93ea881a123a8701168d1d7d331f054e7ff05d9264d6c0598d2b9baa28137c5985
-
Filesize
292KB
MD5281da393b8831f4d983717a0c27bace1
SHA1afefef6c1148b6e931cb6acde5dc75ee1982eb11
SHA256a62e1010ad6f707ee31c282e936ef05d22d630b62a65baa8be2143b1ad45b0cd
SHA512311a8b2c5a39a526e7933fc4d00c562adca2ad841f82733a69b17c151e22afa25f5b6888946c8297c1cf89b9a183aacd5cf383084460626a960fe7c6fb319e69